GHSA-JRM8-XGF3-FWQR

Vulnerability from github – Published: 2025-02-05 21:09 – Updated: 2025-02-26 22:12
VLAI?
Summary
MobSF Partial Denial of Service (DoS)
Details

Partial Denial of Service (DoS)

Product: MobSF Version: v4.2.9 CWE-ID: CWE-1287: Improper Validation of Specified Type of Input CVSS vector v.4.0: 6.9 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) CVSS vector v.3.1: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) Description: DoS in the Scans Results and iOS Dynamic Analyzer functionality Impact: Leveraging this vulnerability would make Scans Results and iOS Dynamic Analyzer pages unavailable. Vulnerable component: urls.py https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/MobSF/urls.py#L401 Exploitation conditions: A malicious application was uploaded to the MobSF. Mitigation: Check the uploaded bundle IDs against the regex. Researcher: Oleg Surnin (Positive Technologies)

Research

Researcher discovered zero-day vulnerability Partial Denial of Service (DoS) in MobSF in the Scans Results and iOS Dynamic Analyzer functionality. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.). (https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier) However, an attacker can manually modify this value in Info.plist file and add special characters to the <key>CFBundleIdentifier</key> value. In the urls.py file URL rules are defined. https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/MobSF/urls.py#L401

Listing 3.

bundle_id_regex = r'(?P<bundle_id>([a-zA-Z0-9]{1}[\w.-]{1,255}))$'

# skip code
re_path(fr'^ios/view_report/{bundle_id_regex}',
                ios_view_report.ç,
                name='ios_view_report'),

When the application parses the wrong characters in the bundle ID, it encounters an error. As a result, it will not display content and will throw a 500 error instead. The only way to make the pages work again is to manually remove the malicious application from the system.

Vulnerability reproduction

To reproduce the vulnerability, follow the steps described below.

• Unzip the IPA file of any iOS application.

Listing 4. Unzipping the file

unzip test.ipa

• Modify the value of <key>CFBundleIdentifier</key> by adding restricted characters in the Info.plist file.

image-6

*Figure 7. Example with ' character`

• Zip the modified IPA file.

Listing 5. Zipping the file

zip -r dos.ipa Payload/

• Upload the modified IPA file to Static Analysis and wait until it finished • Open the following pages: http://mobsf/recent_scans/ http://mobsf/ios/dynamic_analysis/

image-7

Figure 8. DoS Example

image-8

Figure 9. DoS Example

Please, assign all credits to Oleg Surnin (Positive Technologies)

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.3.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "mobsf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-05T21:09:21Z",
    "nvd_published_at": "2025-02-05T19:15:46Z",
    "severity": "HIGH"
  },
  "details": "# Partial Denial of Service (DoS)\n\n**Product:** MobSF\n**Version:** v4.2.9\n**CWE-ID:** CWE-1287: Improper Validation of Specified Type of Input\n**CVSS vector v.4.0:** 6.9 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)\n**CVSS vector v.3.1:** 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n**Description:**  DoS in the Scans Results and iOS Dynamic Analyzer functionality \n**Impact:** Leveraging this vulnerability would make Scans Results and iOS Dynamic Analyzer pages unavailable.\n**Vulnerable component:** urls.py\nhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/MobSF/urls.py#L401\n**Exploitation conditions:** A malicious application was uploaded to the MobSF.\n**Mitigation:** Check the uploaded bundle IDs against the regex.\n**Researcher: Oleg Surnin (Positive Technologies)**\n\n## Research\n\nResearcher discovered zero-day vulnerability Partial Denial of Service (DoS) in MobSF in the Scans Results and iOS Dynamic Analyzer functionality.\nAccording to Apple\u0027s documentation for bundle ID\u0027s, it must contain only alphanumeric characters (A\u2013Z, a\u2013z, and 0\u20139), hyphens (-), and periods (.).\n(https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier)\nHowever, an attacker can manually modify this value in `Info.plist` file and add special characters to the `\u003ckey\u003eCFBundleIdentifier\u003c/key\u003e` value.\nIn the `urls.py` file URL rules are defined.\nhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/MobSF/urls.py#L401\n\n*Listing 3.*\n```\nbundle_id_regex = r\u0027(?P\u003cbundle_id\u003e([a-zA-Z0-9]{1}[\\w.-]{1,255}))$\u0027\n\n# skip code\nre_path(fr\u0027^ios/view_report/{bundle_id_regex}\u0027,\n                ios_view_report.\u00e7,\n                name=\u0027ios_view_report\u0027),\n```\n\nWhen the application parses the wrong characters in the bundle ID, it encounters an error.\nAs a result, it will not display content and will throw a 500 error instead. The only way to make the pages work again is to manually remove the malicious application from the system.\n\n## Vulnerability reproduction\n\nTo reproduce the vulnerability, follow the steps described below.\n\n\u2022\tUnzip the IPA file of any iOS application.\n\n*Listing 4. Unzipping the file*\n```\nunzip test.ipa\n```\n\n\u2022\tModify the value of `\u003ckey\u003eCFBundleIdentifier\u003c/key\u003e` by adding restricted characters in the `Info.plist` file.\n\n\u003cimg width=\"364\" alt=\"image-6\" src=\"https://github.com/user-attachments/assets/97dce68a-a5e2-4048-b5c8-3090146a9635\" /\u003e\n\n*Figure 7. Example with `\u0027` character`\n\n\n\u2022\tZip the modified IPA file.\n\n*Listing 5. Zipping the file*\n```\nzip -r dos.ipa Payload/\n```\n\n\u2022\tUpload the modified IPA file to Static Analysis and wait until it finished\n\u2022\tOpen the following pages:\n`http://mobsf/recent_scans/`\n`http://mobsf/ios/dynamic_analysis/`\n\n\u003cimg width=\"1119\" alt=\"image-7\" src=\"https://github.com/user-attachments/assets/a7a9ae2e-cd84-4ec8-8132-25140a209ca0\" /\u003e\n\n*Figure 8. DoS Example*\n\n\u003cimg width=\"1141\" alt=\"image-8\" src=\"https://github.com/user-attachments/assets/a76e03ae-b4c6-4003-a145-c1fa4c88a7a5\" /\u003e\n \n*Figure 9. DoS Example*\n\n\n_________________\n\n### Please, assign all credits to Oleg Surnin (Positive Technologies)",
  "id": "GHSA-jrm8-xgf3-fwqr",
  "modified": "2025-02-26T22:12:22Z",
  "published": "2025-02-05T21:09:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-jrm8-xgf3-fwqr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24804"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83"
    },
    {
      "type": "WEB",
      "url": "https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/MobSF/urls.py#L401"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MobSF Partial Denial of Service (DoS)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.